Menu
AWS CloudTrail
User Guide (Version 1.0)

Creating a Trail

Follow the procedure to create a trail that applies to all regions. A trail that applies to all regions delivers log files from all regions to an S3 bucket. After you create the trail, CloudTrail automatically starts logging the events that you specified.

Creating a Trail in the Console

You can configure your trail for the following:

  • Specify if you want the trail to apply to all regions or to apply to a single region.

  • Specify an Amazon S3 bucket to receive log files.

  • For management and data events, specify if you want to log read-only, write-only, or all events.

To create a CloudTrail trail with the AWS Management Console

  1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/.

  2. Choose the region where you want the trail to be created.

  3. Choose Get Started Now.

  4. On the Create Trail page, for Trail name, type a name for your trail. For more information, see CloudTrail Trail Naming Requirements.

  5. For Apply trail to all regions, choose Yes to receive log files from all regions. This is the default and recommended setting. If you choose No, the trail logs files only from the region in which you create the trail.

  6. For Management events, for Read/Write events, choose if you want your trail to log All, Read-only, Write-only, or None, and then choose Save. By default, trails log All management events. For more information, see Management Events.

  7. For Data events, type the S3 bucket name and prefix (optional) for which you want to log object-level operations. For each resource, specify whether you want to log Read-only, Write-only, or All events. By default, trails don't log data events. For more information, see Data Events.

  8. For Storage location, for Create a new S3 bucket, choose Yes to create a new bucket. When you create a new bucket, CloudTrail creates the required IAM policies for you and applies them to the bucket.

    Note

    If you chose No, choose an existing S3 bucket. The bucket policy must grant CloudTrail permission to write to it. For information about manually editing the bucket policy, see Amazon S3 Bucket Policy for CloudTrail.

  9. For S3 bucket, type a name for the bucket you want to designate for log file storage. The name must be globally unique. For more information, see Amazon S3 Bucket Naming Requirements.

  10. To configure advanced settings, see Configuring Advanced Settings for your Trail. Otherwise, choose Create.

  11. The new trail appears on the Trails page. The Trails page shows the trails in your account from all regions. In about 15 minutes, CloudTrail publishes log files that show the AWS API calls made in your account. You can see the log files in the S3 bucket that you specified.

Note

You can't rename a trail after it has been created. Instead, you can delete the trail and create a new one.

Configuring Advanced Settings for your Trail

You can configure the following settings for your trail:

  • Specify a log file prefix for the S3 bucket receiving log files.

  • Encrypt log files with AWS Key Management Service.

  • Enable log file validation for logs.

  • Configure Amazon SNS to notify you when log files are delivered.

To configure advanced settings for your trail

  1. For Storage location, choose Advanced.

  2. In the Log file prefix field, type a prefix for your Amazon S3 bucket. The prefix is an addition to the URL for an Amazon S3 object that creates a folder-like organization in your bucket. The location where your log files will be stored is shown under the text field.

  3. For Encrypt log files, choose Yes if you want AWS KMS to encrypt your log files.

  4. For Create a new KMS key, choose Yes to create a new key or No to use an existing one.

  5. If you chose Yes, in the KMS key field, type an alias. CloudTrail encrypts your log files with the key and adds the policy for you.

    Note

    If you chose No, choose an existing KMS key. You can also type the ARN of a key from another account. For more information, see Updating a Trail to Use Your CMK. The key policy must allow CloudTrail to use the key to encrypt your log files, and allow the users you specify to read log files in unencrypted form. For information about manually editing the key policy, see AWS KMS Key Policy for CloudTrail.

  6. For Enable log file validation, choose Yes to have log digests delivered to your S3 bucket. You can use the digest files to verify that your log files did not change after CloudTrail delivered them. For more information, see Validating CloudTrail Log File Integrity.

  7. For Send SNS notification for every log file delivery, choose Yes if you want to be notified each time a log is delivered to your bucket. CloudTrail stores multiple events in a log file. SNS notifications are sent for every log file, not for every event.

  8. For Create a new SNS topic, choose Yes to create a new topic, or choose No to use an existing topic. If you are creating a trail that applies to all regions, SNS notifications for log file deliveries from all regions will be sent to the single SNS topic that you create.

    Note

    If you chose No, choose an existing topic. You can also enter the ARN of a topic from another region or from an account with appropriate permissions. For more information, see Amazon SNS Topic Policy for CloudTrail.

  9. If you chose Yes, in the SNS topic field, type a name.

    If you create a topic, you must subscribe to the topic to be notified of log file delivery. You can subscribe from the Amazon SNS console. Due to the frequency of notifications, we recommend that you configure the subscription to use an Amazon SQS queue to handle notifications programmatically. For more information, see the Amazon Simple Notification Service Getting Started Guide.

  10. Choose Create.

Next Steps

After you create your trail, you can return to the trail to make changes:

  • Configure CloudTrail to send log files to CloudWatch Logs. For more information, see Sending Events to CloudWatch Logs.

  • Add custom tags (key-value pairs) to the trail.

  • To create another trail, return to the Trails page and choose Add new trail.

Note

When configuring a trail, you can choose an S3 bucket and SNS topic that belongs to another account. However, if you want CloudTrail to deliver events to a CloudWatch Logs log group, you must choose a log group that exists in your current account.